Re: [ActiveDir] [OT] Partitioning
NTFSResize: http://mlf.linux.rulez.org/mlf/ezaz/ntfsresize.html or maybe http://gparted.sourceforge.net/ As with anything that's going to mess with partition sectors, you'll want to make a full backup first. HTH, Adam. On 19/01/07, Brian Cline [EMAIL PROTECTED] wrote: Hi folks, we've got a few partitions we need to enlarge on about 3 of our servers – the space is there and available, but the partition just needs to be expanded. Seeing as how PartitionMagic Pro has been discontinued, can anyone recommend a good product for this? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Unable to logon after DCPromo - oddness
On 18/01/07, Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] wrote: You can run dcdiag on the enterprise which will gather data from every server. Try doing that and collecting data on the issue. Also, do the objects exist in Sites and Services for the server to replicate among its peers? Thanks to all for the many suggestions. I hadn't realised that things like dcdiag didn't need to be run on the affected DC. Sadly, it's too late now, as the DC has gone to that big server-room in the sky (or rather, Windows has been re-installed). I checked the unattend file that was used to run dcpromo and found it was being run by a VBS, with 'On Error Resume Next'. Running the dcpromo on other servers since then has worked fine, and now the decision's been made to run dcpromo manually for this batch of 50 servers. Oh well, it'll have to remain one of life's unsolved mysteries. -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Unable to logon after DCPromo - oddness
Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Seized Roles - Flatten DC?
Dear collective, I am at a site where somebody has panicked, and all 5 roles have been seized in the last month, and have then been transferred back to the DCs they were previously on. I had thought that certain roles (RID, Schema and possibly Domain Naming) being seized meant you had to wipe the DCs, and re-install Windows before you could use them again. Problem is - I can't find anything on technet to back this up. Best I can find is an article saying that seizing the RID is a 'drastic measure'. Can anyone point me towards something which says, ideally - If you seize role X, you MUST do Y, or the rivers will turn to blood, you will be visited by a plague of locusts and your firstborn will be killed. Thanks in advance, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Seized Roles - Flatten DC?
On 11/01/07, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx from: http://support.microsoft.com/?id=255504 Thanks Jorge, Nothing about three days of darkness or locusts or the massacre of first-borns, but I think it ought to settle the argument. Of course, now they'll just want to dpromo the machines down, clean the metadata and bring them back up again. Nobody wants to re-install Windows on servers sitting in a datacentre miles away. Ho-hum, I tried my best... -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Roaming Profiles not updating
On 08/01/07, Ernesto Nieto [EMAIL PROTECTED] wrote: The users keep telling me that when they delete icons from their desktop, the settings stay, but maybe a week or two later, all those desktop icons that they deleted return. What I can't pinpoint is the why the profile doesn't update. I think the old profile returns when the tablet is used. The tablet PC is wireless too, which they take home. Do they always use the same tablet PCs? Or do they swap around a lot? Is it possible that the wireless driver doesn't inintialise until after the user has logged on, and so by the time the device has an IP address, a cached profile has already been loaded? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Moving ADC
On 08/01/07, dinesh shinde [EMAIL PROTECTED] wrote: Hello Can someone help me on the below issue? I don't mean to come across as being awkward, but I found it difficult to understand what it is you're trying to do. Could you perhaps rephrase it a little? Regards, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] RealVNC removal
On 09/10/06, Matt Hargraves [EMAIL PROTECTED] wrote: I'd go with just disabling the service and setting it so that only Domain Admins and System can even manage and/or see the service. This is a 10-minute solution, whereas the others could take quite a bit of time to research how to do correctly. Since I put together a kludge to get UltraVNC config'd and out across a few thousand machines a few months back, I've had to deal with the removal of other VNCs Running winvnc.exe -unregister should remove it from the list of services. If you want to go a step further (as you'll need to in order to get UltraVNC's domain auth to work), you'll want to get rid of c:\progra~1\RealVnc\*.* /s and get rid of keys under HKCU and HKLM: Software\RealVNC Software\ORL Bit late in replying, but hey-ho, I still have 1,263 other mails to attend to -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Managing Third-Party Users
On 22/07/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm curious what, if anything, anyone else is doing to use some sort of federated system so that user management is left at the hands of the third-party companies. I'm curious also if anyone is aware of any consulting groups that have done this sort of thing w/ an agnostic approach that can fit most environments. I'd love to get an idea of where the industry is heading with this sort of thing. I'm sure the topic probably came up at DEC which I didn't have the luxury of attending. Not sure if I understand what you're getting at here, but in terms of pure user account management, we tend to create a separate OU for the external company, and delegate control of it to one of their more clueful bods. If you're managing citrix servers, you can do the above and give them a custom task pad without having to give them access to log on interactively or manage services or suchlike. -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Using non-standard TLDs within Active Directory
On 21/07/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: The proposal here is to use .nom and the company name is Nomura. Which is all fine and dandy until the French get envious of the .name TLD and decide they're going to have their own equivalent... -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADSIEdit, Exchange and Assistants
Just looking further in to this, it seems telephoneAssistant and secretary are the fields that appear in outlook - both of which are free text input. It begs the question of what the DN field of 'assistant' actually does. Surely if it is expecting a distinguished name, it must be used for something, somewhere? Anyone know what? On 13/07/06, AdamT [EMAIL PROTECTED] wrote: Nevermind - figured it out myself after finding an account with N/A in the field- the correct field is called 'telephoneAssistant', and is a freetext input, rather than a DN. On 13/07/06, AdamT [EMAIL PROTECTED] wrote: Dear font of all knowledge, I remeber reading a thread a while back about changing the value of the 'assistant' field, using ADSIEdit. Somebody's asked me to do this today, so I've given it a go, and copied/pasted the DN from one user to the other's 'assistant' field - but the change doesn't appear to be showing in people's Outlook clients. I've checked on a freshly installed Outlook client, just to be sure there's no cached data, and looking at the user's GAL properties still shows the assistant field as blank. Am I missing something here? Is that not the same assistant field that Exchange 2K/2K3 would be looking at? Is there something else I need to do to enable usage of this field? Thanks in advance, -- AdamT If it truly were the thought that counted, more women would be pregnant - anon -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] ADSIEdit, Exchange and Assistants
Dear font of all knowledge, I remeber reading a thread a while back about changing the value of the 'assistant' field, using ADSIEdit. Somebody's asked me to do this today, so I've given it a go, and copied/pasted the DN from one user to the other's 'assistant' field - but the change doesn't appear to be showing in people's Outlook clients. I've checked on a freshly installed Outlook client, just to be sure there's no cached data, and looking at the user's GAL properties still shows the assistant field as blank. Am I missing something here? Is that not the same assistant field that Exchange 2K/2K3 would be looking at? Is there something else I need to do to enable usage of this field? Thanks in advance, -- AdamT If it truly were the thought that counted, more women would be pregnant - anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADSIEdit, Exchange and Assistants
Nevermind - figured it out myself after finding an account with N/A in the field- the correct field is called 'telephoneAssistant', and is a freetext input, rather than a DN. On 13/07/06, AdamT [EMAIL PROTECTED] wrote: Dear font of all knowledge, I remeber reading a thread a while back about changing the value of the 'assistant' field, using ADSIEdit. Somebody's asked me to do this today, so I've given it a go, and copied/pasted the DN from one user to the other's 'assistant' field - but the change doesn't appear to be showing in people's Outlook clients. I've checked on a freshly installed Outlook client, just to be sure there's no cached data, and looking at the user's GAL properties still shows the assistant field as blank. Am I missing something here? Is that not the same assistant field that Exchange 2K/2K3 would be looking at? Is there something else I need to do to enable usage of this field? Thanks in advance, -- AdamT If it truly were the thought that counted, more women would be pregnant - anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Where's that account being used?
Dear fountain of knowledge, We've inherited a particularly messy AD structure, and we're now trying to find out where a particular account is in use. There's around 80 servers in the domain and 3000 workstations, and this account appears to be used for pretty much anything that wants to log on as a service, or anyone who wants domain admin privs. Is there any kind of audit utility to scan servers and see which services are using the account, and ideally - any kind of monitoring package to flag up an alert each time the account is used to, say, map a drive or connect to a SQL db? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] How to block particular Subjects
I've not used IMF to do that before. Perhaps you could plug in an Exim or Postfix machine as your inbound MX and do the filtering there? On 23/06/06, Ajay Kumar [EMAIL PROTECTED] wrote: Hi AdamT, Actually I didn't use IMF before, Is that it will really blocked the particular Subjects (attachement).I mean to say that If user sends their attachement with particular subjects, So it should be blocked. Sam. On 6/21/06, AdamT [EMAIL PROTECTED] wrote: On 21/06/06, Ajay Kumar [EMAIL PROTECTED] wrote: I just wanna to know that, Is that possible to block particulars subjects Ex: ( Resume ). when user send any mail related to same subject to other domain ( Internet ). We are using exchange server 2003 and atleast 500 users. Pls give me any suggestion / Software through I can block Have you looked at Intelligent Message Filters? http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT (kinda): Standard Desktop Build
Dear all, What's in your standard desktop build? We're looking at getting another 1,000 machines or so and coming up with a new standard build for XP. Apart from some of the obvious 'lockdown' changes, what else do you add or modify in your standard desktop images? Do you allow anyone access to the 'Power Users' group, and if so - do you change the ACLs on any of the processes that run as LocalSystem? Any funky utilities from technet or research.microsoft.com that are worth playing with? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DNS Question
On 12/06/06, Za Vue [EMAIL PROTECTED] wrote: Quick DNS question for you all. DNS server- W23K Domain-W23K How do you add the URL http://www.test2.math.smith.edu to the domain Physics.Smith.edu in DNS? Use CNAME? If the URL was www.test2.physics.smith.edu than a simple host(A) would be fine. You could create a CNAME record to point www.test2.math.smith.edu to physcis.smith.edu, but you'd need to make sure that the web server running on physics.smith.edu was prepared to take requests pointed at www.test2 When your browser connects to a web server, it sends a host argument, indicating which host it's attempting to connect to. This is done because sometimes several websites exist on one IP address. So connecting to 192.168.1.10 and asking to GET /index.html with a host argument of host:www.example.com might present the browser with a different page to connecting to the same IP with host:www.example.org -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Is this like AD blog season or what?
Not an AD blog, but I quite enjoy Raymond Chen's blog: http://blogs.msdn.com/oldnewthing/ Interesting stuff, even if you're not a Win32 API guru. And let's not forget the blog of the SBS Diva ;-) http://msmvps.com/blogs/bradley/ On 09/06/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Active Directory Discussion : Introducing the Active Directory Discussion Blog: http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] max password age where else to look?
On 06/06/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Yeah, I realised that shortly afterwards. The value of this approach escapes me, however :) I don't care which day of the week I change my password on and nor should the users IMHO. neil The Friday before a long public holiday weekend is always a bad one to have people changing their passwords. So is the last working day before a Christmas holiday, as users will tend to either forget what they set it to, or write it down on a post-it and leave it in their desk. My € 0.02-- AdamTA casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche
[ActiveDir] MSC pointing at untrusted domain?
Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] MSC pointing at untrusted domain?
On 31/05/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: How about: Runas /netonly /user:target_computer\username eventvwr.exe /auxsource=target_computer Interestingly - that prompts for the password, and launches eventviewer - but it's pointed at the logs of the local machine :-( Thanks anyhow -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] MSC pointing at untrusted domain?
That's done it! Thanks - you've saved me from 'Remote Desktop Rage' - that situation where there's too many people in need of an RDP session to a box with insufficient licenses ;-) On 31/05/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Sorry for the last incorrect answer. Try this: runas /netonly /user:domain_or_target_computer\username mmc.exe eventvwr.msc /computer=target_computer Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, May 31, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MSC pointing at untrusted domain? Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Self grown AD webtool sample output - any takers in joint dev ?
Hi, I'm up for helping out a bit. Not quite sure how I'll fit in. I've got quite a bit of experience with batch file scripting, and some with VB6. Currently playing about with VB 2005 Express (before I fully commit to .NET). I also have a fair bit of experience with PHP and PERL, and limited knowledge of WMIC/ADSI. Regards, Adam. On 17/05/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi guys Sample web output Output as attached in MHT - mostly are mouseovers as well as can be clicked for more info to open newpage. (not attached here) Domain Controller Status.zip Background Started up as a for fun thing - year and a half back on my prev job, which then becomes a personal hobby and sort of a good to have tool for viewing all DC tools results in one page (can be published on intranet) Havent had time to develop this anymore since a few months back, (too darn busy now), anybody interested in join dev or at least help out in improving the codes? Yes it is in batch files Around 1000 lines of BATCH scripts so far (sorry dudes, im too dumb to understand other scripting language), using tools such as support tools, resource kit, psexec/rcmd, logparser, joeware etc etc. I'm hoping to keep most of it still in batch otherwise I wouldn't understand any of it. Please note some of these are very site specifics, such as im using SAV all along, so wouldn't work in Trend/Mcafee environment for example. And some requires changing the variables manually - such as DN etc etc (too difficult for me to make it very generic) also comments are minimal. Agentless, query over the network (requires rcmdsvc.exe resource kit to be installed though), runs on a scheduled basis (depending on network speed), on a server (must be 2003). Bugs? Yeah Of course! LOTS of minor bugs (fair warning) and those of you that are experts in codes will definitely laugh at my lines :) Contact me offline if you are interested in joint effort or reviewing - [EMAIL PROTECTED] Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Is there a way to force users to logon to domain?
On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [OT] GMAIL encoding
On 10/05/06, Lou Vega [EMAIL PROTECTED] wrote: I don't know exactly where it is off the top of my head because I don't have access to GMAIL at work, but GMAIL does allow you (to my knowledge) to set the encoding of your messages if you wanted to…perhaps you can check into that? It's under the settings like at the top right of the screen. You get a choice of: Use default text encoding for outgoing messages Or: Use Unicode (UTF-8) encoding for outgoing messages -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] anyone using IPV6?
On 4/27/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Has anyone tried IPV6 yet? Production? Or just testbed? Any gotchas? What kind of infrastructure (eg, switches) is needed to support it? How does AD play in this sandbox? On a similar note - is anyone here using 'jumbo' frames on their AD network on either IPv4 or IPv6? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: going waaaayyy OT [ActiveDir] stupid ldap queries
On 4/26/06, joe [EMAIL PROTECTED] wrote: I have an idea, if you are going to say rooter, why not actually try spelling it that way? In the interests of removing confusion and global peace and love and all of that jazz. ;o) English is not phonetic language. If it was, words like 'phonetic' would be spelt phonetically. In English, we have abandoned gender for nouns, and the case system for the most part (with the exception of accusative forms, like he/him, she/her, they/them). It's only fair that we get some awkward spellings - or else the language is in danger of being spoken by any Tom, Dick or Harry with no allegience to her Majesty, Queen Elizabeth II... oh, right ;-) -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADM files / sysvol management
On 4/24/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Graham- GP Editor will always download the ADM files that already exist within the ADM folder in SYSVOL, unless there is a version of an existing ADM file on the local c:\windows\inf folder that is newer. On an ... ahem... academic note At what point during the logon process does the GP editor check for this? Could I craft my own ADM files (or create invalid or blank ones), and use something like touch.exe to give them an up-to-the-minute timestamp, and have those loaded instead of the ones the network administrator had in mind? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] logging users out
On 4/22/06, shereen naser [EMAIL PROTECTED] wrote: Hi list, how can I set Active directory to log out users after a specific period of time, say an internet cafe wants to log the users out after one hour? I don't want to use account expires, I want the account to be still active but to log the users out and they can re-login after that no problem. I'm sure I have a copy of a logoff.exe file somewhere, which forces all apps to close and takes you back to the 'press ctrl+alt+del to logon' screen. Perhaps you could add it in as a scheduled task, or use the 'at' command in a logon script (or startup group or HKLM\Software\Microsoft\Windows\CurrentVersion\Run for 'standalone' workstations) to schedule it to run exactly one hour after logon. The only problem you'll have is if people want to stay on for two hours. -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: going waaaayyy OT [ActiveDir] stupid ldap queries
On 4/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Ditto viruses and virii. ... Being a bit of a pedant, I have to point out that virii is neither good English, nor good Latin: http://www.wsu.edu/~brians/errors/virii.html -- AdamT A: Because it breaks the logical sequence of discussion Q: Why is top-posting a bad thing? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] XP Workstation Accounts
Dear collective intelligence, Is there any difference in functionality if you join a workstation to a domain by specifying the old NT4 domain, as opposed to specifying the fully qualified domain? Eg - adding a machine to CORPDOM, rather than corporatedomain.com ? Cheers, -- AdamT A: Because it breaks the logical sequence of discussion Q: Why is top posting a bad thing? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Property Sets and AD Security woes
On 4/17/06, joe [EMAIL PROTECTED] wrote: Authors DO NOT get to pick the cover animal. Here is a little article on the O'Reilly cover animals... Really? I was *sure* that the animal on the cover of 'Quake 2 For Llamas' had been deliberately picked to match the title: http://letters.oreilly.com/pub/a/oreilly/letters/2001/spoofcovers_1201.html -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Virus' Where are they?
On 3/15/06, Shirley Graver [EMAIL PROTECTED] wrote: If I go to them and say I want to buy system wide virus protection that will be more efficient but it will cost $XXX.XX thousand dollars, all they will hear is THOUSANDS OF DOLLARS. Have you looked at ClamWin? http://www.clamwin.com/ -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Individual admin accounts vs Generic admin account.
Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Phantom Account Locks
Thanks all for the help with this. Turned out he was logging on to his laptop locally, with the same username as his domain account, but with a different password. All sorted now. -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Phantom Account Locks
Dear all, I have one site, with one user whose account is getting locked out daily on their SBS box. My first thought was that this guy is a bit of a muppet, and can't retain information like passwords for longer than a couple of hours. When this turned out not to be the case, I figured he must have something running on his computer, which is attempting to authenticate using his ID and an old password. I thought maybe it was a mapped drive, done with a net use command and a username/password argument. After that didn't pan out, I thought it might be something running as a chron job or scheduled task, but that hasn't worked out either. Any pointers on what could be doing this? Cheers, -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Phantom Account Locks
On 2/28/06, Susan Bradley [EMAIL PROTECTED] wrote: What's the security log say up on the server? The security log has several of these: Event ID 529 Source: Security Category: Logon/Logoff Type: Failure User: NT AUTHORITY\SYSTEM Computer: SBS-DC Reason: Unknown user name or bad password Username: j.bloggs Domain: PC004 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: PC004 And some of these: Event ID: 681 Source: Security Category: Account Logon Type: Failure User: NT AUTHORITY\SYSTEM Computer: SBS-DC The logon to account j.bloggs by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: PC004 failed. The error code was: 3221225578 (I looked that up, and the error code apparently means 'wrong password') And some of these: Event ID: 539 Source: Security Category: Logon/Logoff Type: Failure User: NT AUTHORITY\SYSTEM Computer: SBS-DC Reason: Account locked out User Name: j.bloggs Domain: PC004 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: PC004 Thanks for the mention of the lockout tools - will give them a go. Cheers, -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Phantom Account Locks
On 2/28/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: SBS has a pretty lenient group policy lockout set up by the SBS box group policy ...you have to hit 50 invalid logon attempt for an account to lockout. This one's set to 5 invalid logon attempts, which means it happens a little more often. I'll have to ask somebody at the site to take a look at his machine, since his subnet isn't routable from this office :-( -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Who would have thunk it....
On 2/9/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Are we truly sure it's him though? Not a rogue developer who hacked into his blog and posted? It could be a compromised blog. I checked the date. It didn't say April 1st. -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [List Owner] IE7 and ActiveDir
On 1/16/06, Rich Milburn [EMAIL PROTECTED] wrote: Server Error in '/' Application. Might be totally unrelated, but there was something similar mentioned recently at: http://discuss.jarretthousenorth.com/newsItems/departments/Microsoft -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Crawford, Scott [EMAIL PROTECTED] wrote: For example, if the domain box shows MICROSOFT, change it to Microsoft.com or vice-versa. This seems to trigger a domain rejoin without having to join the workgroup. snip On a side-note - is there a command line utility which will allow a workstation to be renamed/joined to a domain? I'm aware of a way of creating a computer account using the NET command, but this has to be done from the server, and ideally, I'm hoping there's a way of joining from the NT4/2kpro/XP workstations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Aaron Visser [EMAIL PROTECTED] wrote: snip I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L Surely it's not possible to delete the administrator account? You might be able to disable it, but IIRC, you can reset the password and unlock/re-enable to account using the infamous bootdisk at: http://home.eunet.no/~pnordahl/ntpasswd/ Shouldn't need to re-image. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/18/06, Doug Ferguson [EMAIL PROTECTED] wrote: I would use NETDOM JOIN. Type NETDOM JOIN /? To see the syntax. Thanks, I'll look in to that. Would save me lots of time talking engineers through the process of joining a domain when they turn up to install new PCs. I'm also somewhat unhappy with reading out account passwords over the phone to engineers I've never met. Netdom and psexec ought to take care of this for me ;-) -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD computer accounts being removed
On 1/19/06, Aaron Visser [EMAIL PROTECTED] wrote: Taken from http://www.sysinternals.com/Utilities/NewSid.html under the SID Duplication Problem snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Access Denied error when joining the domain
On 1/9/06, Alborzfard, Alex [EMAIL PROTECTED] wrote: Should the SID of PCs be changed to resolve the problem and if so which tool can be used? Yes, you should change the SID of the machines. If you're using Ghost, it should have a package called Ghost Walker with it, which can change the SIDs. Otherwise - get yourself a copy of NewSID: http://www.sysinternals.com/Utilities/NewSid.html Sysprep, IIRC can be used to regenerate SIDs for a workstation. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] WinXP activation problem
On 12/30/05, Amit Singh [EMAIL PROTECTED] wrote: Ask to pankaj garg to provide original CD because i know that you guy has used 30 days trail version CD. Do you thing that microsoft is fool. Surely a 30-day trial version of XP couldn't be activated at all? So long as you have a valid product code for each machine with XP on it (look on the CD case, or on the machine itself for OEM), you should be able to activate them. If in doubt, phone Microsoft's activiation line and speak to someone there. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] another dhcp question
On 12/19/05, Tom Kern [EMAIL PROTECTED] wrote: What are the pros and cons of using reservation with unlimited lease instead of static addresses for servers and network printers? You're probably better off sticking with static IPs for servers. In case the DHCP server falls over, anything wanting to pick up a reserved IP from the DHCP server will fail. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Exchange mailbox backup problem
On 12/19/05, McNicholas, Joe [EMAIL PROTECTED] wrote: For 5 mailboxes, just export them to PST files from Outlook, and then re-import them when connected to the new server. Can you do that for mailboxes 2Gb? -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DHCP(ot)
On 12/19/05, Tom Kern [EMAIL PROTECTED] wrote: My company wants to use 3rd party dhcp product like Bluecat's Adonis 500 or 1000 instead of Windows DHCP. Is there really any compelling reason to dump or not dump Windows DHCP? Personally, I would say that dumping the Win DHCP is probably a bad idea. http://www.bluecatnetworks.com/products/adonis-appliances/adonis1000/features/ -gives a list of the features. See if there's anything in there which compels you to buy their product. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [Way OT] DNS MX load balancing questions...
On 12/11/05, Freddy HARTONO [EMAIL PROTECTED] wrote: That means it makes no sense to invest in having 1 backup MX of lower priorities? It makes perfect sense to have a backup MX of a lower priority. Most of your users may be located in New York, so you'd want most of your mail routed in that way, and would only want the mail server at your remote site in London to accept mail if NYC was down for some reason. Your London server might be sitting on a very slow connection to the outside world, or maybe it's a fairly old machine and not up to handling high loads, meaning you'd probably only want it to be used in an emergency. -- AdamT Maidenhead is *not* in Kent List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
